In accounting, WISP stands for Written Information Security Plan. A WISP is a document that accountants are required by law to create. A WISP is your strategy or game plan for keeping your client’s personal and financial information safe. If you get paid to do someone’s accounting, then yes! You’re going to need a WISP.
Creating a WISP is a helpful exercise since it makes you access what you and your firm is doing to protect your clients from hackers, financial marauders, or other potential security breaches. Then again, making a WISP is also now the law —which means knowing how a WISP works is mandatory.
How a WISP works
Once upon a time, there was a law called the Gramm-Leach-Bliley Act. It said that financial institutions, which your beloved accounting firm is one of, are required to protect customer data.
The Federal Trade Commission (FTC) soon followed this law up with something called the Safeguards Rule.
The Safeguards Rule gives you the nitty-gritty. It says that to stay on good terms with the law, every financial institution in the United States of America needs to do the following, and I quote:
- Designate one or more employees to coordinate its information security program
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it
- Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information
- Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring
Your WISP is a written document, double-spaced and in font size 12, of all the ways your accounting firm is meeting these requirements.
Okay, okay, the Safeguards Rule doesn’t say anything about double-spaced or font size 12. That’s just a little humor. But it does say that you have to create the document and that it needs to be more or less coherent.
You know you need to create a WISP. Now what?
If you don’t want to create a WISP yourself, you can hire another person or company to do it for you. Then again,you can also go to the IRS website and download a document that walks you through the process.
The document is creatively entitled “Creating a Written Information Security Plan for your Tax & Accounting Practice.” As you can see, the person who did the final editing on the document didn’t quite understand the difference between Title Case and Sentence Case. The “your” should actually be capitalized.
What’s inside the document is what matters, and fortunately, it’s pretty helpful. For example, on page 5, you get a recommended table of contents for your WISP. It looks more or less like this:
1. Define the WISP Objectives, purpose, and scope
2. Identify responsible individuals
3. Assess Risks
4. Inventory Hardware
5. Document Safety Measures in place
6. Draft an Implementation clause
Again, don’t think too hard about the IRS and FTC’s shocking lack of understanding when it comes to Title Case vs. Sentence Case. Focus instead on what the words are saying, and then follow the outline.
Later on, there’s even an example WISP that you can follow as a template for your own document.
Is a WISP required for a PTIN?
Now that you’ve learned a little about WISPs, there’s only one question that remains: Is a WISP required for a PTIN? You bet your socks it is.
Anyone who gets paid to help someone with their accounting needs a WISP. In fact, the PTIN application has a checkbox for confirming that you have a WISP. When you get to that moment, try to remember George Washington accidentally chopping down his father’s cherry tree, and then mark the box as truth dictates you to do. (Hopefully, you just have a WISP ready to go so you don’t have to think too hard about it.)
That about wraps it up for this week’s episode on the historical, emotional, spiritual, and legal importance of WISPs.
Dave Nielsen lives in Salt Lake City. He holds a PhD from the University of Cincinnati and writes regularly about business and healthcare.READ MORE BY Dave